acme-v2 error with custom dns-01 plugin #39

Closed
opened 2019-06-06 16:38:51 +00:00 by Ghost · 10 comments

Thanks for this great module - it's been so useful for us!

However, we've been attempting to write our own greenlock-challenge-cloudflare module as all of the existing Cloudflare DNS modules appear to be outdated and/or no longer working either with greenlock or Cloudflare API changes.

The WIP source for this can be found at https://github.com/nodecraft/greenlock-challenge-cloudflare, including a usage example, however, I'm having issues getting this to actually work, and am receiving an acme-v2 error.

The intial _greenlock-dryrun-xxxx works, but then the _acme-challenge fails with Error: [acme-v2] (E_STATE_INVALID) challenge state for 'example.com': 'invalid'. I can verify in my Cloudflare audit log that the DNS record is being set, so the issue doesn't lie there, but I'm pretty stuck as to what would be causing the issue I'm now seeing. Am I setting the wrong value?

If you have any insight I'd really appreciate it, and would be happy to answer any questions you may have.

Thanks for this great module - it's been so useful for us! However, we've been attempting to write our own `greenlock-challenge-cloudflare` module as all of the existing Cloudflare DNS modules appear to be outdated and/or no longer working either with greenlock or Cloudflare API changes. The WIP source for this can be found at https://github.com/nodecraft/greenlock-challenge-cloudflare, including a usage example, however, I'm having issues getting this to actually work, and am receiving an acme-v2 error. The intial `_greenlock-dryrun-xxxx` works, but then the `_acme-challenge` fails with `Error: [acme-v2] (E_STATE_INVALID) challenge state for 'example.com': 'invalid'`. I can verify in my Cloudflare audit log that the DNS record is being set, so the issue doesn't lie there, but I'm pretty stuck as to what would be causing the issue I'm now seeing. Am I setting the wrong value? If you have any insight I'd really appreciate it, and would be happy to answer any questions you may have.
Owner

Hey, you're welcome.

If the dry run succeeds and the actual fails, there's a good chance it's either an issue with DNS cache or DNS lag.

If you were to try again right now, there's a good chance it would succeed.

I'd say put in a 5 second pause (and preferably check that the record was successful) before completing the promise.

This week and next we're actually working on a number of DNS plugins (we have a draft for Digital Ocean and DuckDNS that were developed / debugged yesterday and being tested today and tomorrow) because we want to be able to maintain them and make sure they don't get abandoned.

How would you like to co-author (add me as a collaborator to your github and as an owner on NPM) so that we can patch and bugfix?

Due to some concerns with branding and trademark we want to publish all of the acme challenge modules as acme-dns-01-xxx and acme-http-01-xxx rather than leading with greenlock-. There's and old frenemy of mind and his new business partner that have made threats to such an effect that we've had to be more considerate in copyright and trademark protection. As such we need to not let greenlock be used unofficially in ways that would be confusing as to the owner of the brand. Also, the new plugin API is more generic and not tied to Greenlock specifically.

Hey, you're welcome. If the dry run succeeds and the actual fails, there's a good chance it's either an issue with DNS cache or DNS lag. If you were to try again right now, there's a good chance it would succeed. I'd say put in a 5 second pause (and preferably check that the record was successful) _before_ completing the promise. This week and next we're actually working on a number of DNS plugins (we have a draft for Digital Ocean and DuckDNS that were developed / debugged yesterday and being tested today and tomorrow) because we want to be able to maintain them and make sure they don't get abandoned. How would you like to co-author (add me as a collaborator to your github and as an owner on NPM) so that we can patch and bugfix? Due to some concerns with branding and trademark we want to publish all of the acme challenge modules as `acme-dns-01-xxx` and `acme-http-01-xxx` rather than leading with `greenlock-`. There's and old frenemy of mind and his new business partner that have made threats to such an effect that we've had to be more considerate in copyright and trademark protection. As such we need to not let `greenlock` be used unofficially in ways that would be confusing as to the owner of the brand. Also, the new plugin API is more generic and not tied to Greenlock specifically.
Author

Thanks for the reply!

I assumed so too, but I added some pretty crazy delays in the script, and even had it wait upwards of 5 minutes too. I use 1.1.1.1 on my machine, and with Cloudflare DNS updates, this is pretty much instantaneous, so I'm still stumped as to what the issue could be. Before adding my own delays to the script I'd receive actual DNS errors, but seeing a invalid acme-v2 error doesn't mean a whole lot to me.

I'm glad to hear that there are some "official" DNS plugins coming - seeing a lot of abandoned / opinionated / undocumented plugins was definitely a frustration for us when beginning to use this module.

I completely understand in regards to the branding and naming of the module. I'll be sure to rename this to acme-dns-01-cloudflare. I'd also be very happy to add you as an owner to that repo and npm project if you wish, just let me know your username on each platform.

Thanks for the reply! I assumed so too, but I added some pretty crazy delays in the script, and even had it wait upwards of 5 minutes too. I use `1.1.1.1` on my machine, and with Cloudflare DNS updates, this is pretty much instantaneous, so I'm still stumped as to what the issue could be. Before adding my own delays to the script I'd receive actual DNS errors, but seeing a `invalid` `acme-v2` error doesn't mean a whole lot to me. I'm glad to hear that there are some "official" DNS plugins coming - seeing a lot of abandoned / opinionated / undocumented plugins was definitely a frustration for us when beginning to use this module. I completely understand in regards to the branding and naming of the module. I'll be sure to rename this to `acme-dns-01-cloudflare`. I'd also be very happy to add you as an owner to that repo and npm project if you wish, just let me know your username on each platform.
Owner

I'm @coolaj86 on npm and @solderjs on github.

I'm assuming it passes acme-challenge-test just fine?

Are you setting a TTL? I'm going to make it part of the test to set the TTL to a low value.

The _greenlock-dryrun-xxx will never have cache issues because it's always different. The _acme-challenge. will because it's always the same.

I'm @coolaj86 on npm and @solderjs on github. I'm assuming it passes `acme-challenge-test` just fine? Are you setting a TTL? I'm going to make it part of the test to set the TTL to a low value. The `_greenlock-dryrun-xxx` will never have cache issues because it's always different. The `_acme-challenge.` will because it's always the same.
Owner

I'll try to test it out tomorrow, if not tonight.

I'll try to test it out tomorrow, if not tonight.
Author

Thanks. I've invited you to the GitHub, but am having trouble publishing on npm under acme-dns-01-cloudflare (seems to trigger a spam warning). I've contacted them to resolve this.

I actually haven't ran in through acme-challenge-test but will see about doing that shortly, thanks. I am setting a TTL though, yes, to 120, which I believe is the lowest supported value in Cloudflare's DNS: https://github.com/nodecraft/acme-dns-01-cloudflare/blob/master/index.js#L51

Let me know when you have a chance to test, thanks!

Thanks. I've invited you to the GitHub, but am having trouble publishing on npm under `acme-dns-01-cloudflare` (seems to trigger a spam warning). I've contacted them to resolve this. I actually haven't ran in through `acme-challenge-test` but will see about doing that shortly, thanks. I am setting a TTL though, yes, to 120, which I believe is the lowest supported value in Cloudflare's DNS: https://github.com/nodecraft/acme-dns-01-cloudflare/blob/master/index.js#L51 Let me know when you have a chance to test, thanks!
Owner

Definitely run it through acme-challenge test before anything else.

You'll want your test file to look something like this:

test.js:

#!/usr/bin/env node
'use strict';

// https://git.coolaj86.com/coolaj86/acme-challenge-test.js
var tester = require('acme-challenge-test');

// Usage: node ./test.js example.com xxxxxxxxx
var zone = process.argv[2];
var challenger = require('./index.js').create({
  token: process.argv[3]
});

// The dry-run tests can pass on, literally, 'example.com'
// but the integration tests require that you have control over the domain
var domain = zone;

tester
  .test('dns-01', domain, challenger)
  .then(function() {
    console.info('PASS', domain);

    domain = 'foo.' + zone;
    return tester
      .test('dns-01', domain, challenger)
      .then(function() {
        console.info('PASS', domain);
      })
      .then(function() {

        domain = '*.foo.' + zone;
        return tester.test('dns-01', domain, challenger).then(function() {
          console.info('PASS', domain);
        });
      });

  })
  .catch(function(e) {
    console.error(e.message);
    console.error(e.stack);
  });

And you can run the test like this:

npm install --save acme-challenge-test
node ./test.js baseurl secret-key

You may need to modify it to add a username or other parameters, but if that fails, you won't get very far with the live stuff.

Definitely run it through acme-challenge test before anything else. You'll want your test file to look something like this: `test.js`: ``` #!/usr/bin/env node 'use strict'; // https://git.coolaj86.com/coolaj86/acme-challenge-test.js var tester = require('acme-challenge-test'); // Usage: node ./test.js example.com xxxxxxxxx var zone = process.argv[2]; var challenger = require('./index.js').create({ token: process.argv[3] }); // The dry-run tests can pass on, literally, 'example.com' // but the integration tests require that you have control over the domain var domain = zone; tester .test('dns-01', domain, challenger) .then(function() { console.info('PASS', domain); domain = 'foo.' + zone; return tester .test('dns-01', domain, challenger) .then(function() { console.info('PASS', domain); }) .then(function() { domain = '*.foo.' + zone; return tester.test('dns-01', domain, challenger).then(function() { console.info('PASS', domain); }); }); }) .catch(function(e) { console.error(e.message); console.error(e.stack); }); ``` And you can run the test like this: ``` npm install --save acme-challenge-test node ./test.js baseurl secret-key ``` You may need to modify it to add a username or other parameters, but if that fails, you won't get very far with the live stuff.
Author

Thanks. I've updated the code to support acme-challenge-test now, primarily just by adding a get function, and it passes.

The test.js file just needs CLOUDFLARE_APIKEY, CLOUDFLARE_EMAIL and DOMAIN set as env variables to proceed and pass.

Thanks. I've updated the code to support `acme-challenge-test` now, primarily just by adding a `get` function, and it passes. The `test.js` file just needs `CLOUDFLARE_APIKEY`, `CLOUDFLARE_EMAIL` and `DOMAIN` set as env variables to proceed and pass.
Author

I've now acquired https://www.npmjs.com/package/acme-dns-01-cloudflare on npm and have added you as a publisher. Let me know if I can do anything else to aid in the testing of this.

I've now acquired https://www.npmjs.com/package/acme-dns-01-cloudflare on npm and have added you as a publisher. Let me know if I can do anything else to aid in the testing of this.
Author

It actually looks like the module is functional now, after my changes to support acme-challenge-test. Every now and then the DNS propagation delays I have in place aren't quite enough and DNS fails, but that can just be increased with a config var. I'm not sure there's a whole lot I can do about that to be honest - DNS propagation delays are a bit of a nightmare. Even when I bumped it to 30 retries at 10s between them (5 minutes!), there were still occurrences where DNS didn't propagate fast enough.

I've published the first functional version now. Thanks so much for your time looking into this!

It actually looks like the module is functional now, after my changes to support `acme-challenge-test`. Every now and then the DNS propagation delays I have in place aren't quite enough and DNS fails, but that can just be increased with a config var. I'm not sure there's a whole lot I can do about that to be honest - DNS propagation delays are a bit of a nightmare. Even when I bumped it to 30 retries at 10s between them (5 minutes!), there were still occurrences where DNS didn't propagate fast enough. I've published the first functional version now. Thanks so much for your time looking into this!
Author

Going to go ahead and close this now as per exhaustive discussion in https://github.com/nodecraft/acme-dns-01-cloudflare/issues/1. Thanks!

Going to go ahead and close this now as per exhaustive discussion in https://github.com/nodecraft/acme-dns-01-cloudflare/issues/1. Thanks!
Ghost closed this issue 2019-06-17 18:08:41 +00:00
Sign in to join this conversation.
No Label
No Milestone
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coolaj86/greenlock.js-ARCHIVED#39
No description provided.